Encryption and Hashing Fundamentals

Encryption and Hashing Fundamentals – SC-900 Study Guide

Why Encryption and Hashing Fundamentals Matter

Encryption and hashing are two of the most foundational pillars of modern cybersecurity. They protect data confidentiality, ensure data integrity, and enable authentication and non-repudiation across virtually every digital system. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam, understanding these concepts is essential because they underpin many of the security services and compliance frameworks discussed throughout the certification. Whether data is at rest in Azure Storage, in transit across a network, or being used to verify a user's identity, encryption and hashing are the mechanisms that keep that data secure.

Without encryption, sensitive information such as passwords, financial records, and personal data would be exposed in plaintext, making it trivial for attackers to steal or tamper with it. Without hashing, there would be no reliable way to verify that data has not been altered or to securely store credentials. Understanding these fundamentals helps you grasp how Microsoft services like Azure Key Vault, Microsoft Defender, BitLocker, and Azure Information Protection work behind the scenes.

What Is Encryption?

Encryption is the process of converting plaintext (readable data) into ciphertext (unreadable data) using an algorithm and a key. Only someone who possesses the correct decryption key can reverse the process and recover the original data. Encryption ensures confidentiality — meaning that even if data is intercepted, it cannot be read without authorization.

There are two primary types of encryption:

1. Symmetric Encryption
- Uses a single shared key for both encryption and decryption.
- Both the sender and the receiver must possess the same secret key.
- It is fast and efficient, making it ideal for encrypting large volumes of data.
- Examples include AES (Advanced Encryption Standard) and 3DES (Triple Data Encryption Standard).
- The main challenge is key distribution — how do you securely share the key with the other party without it being intercepted?

2. Asymmetric Encryption (Public Key Encryption)
- Uses a pair of keys: a public key (shared openly) and a private key (kept secret).
- Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa.
- It solves the key distribution problem inherent in symmetric encryption.
- It is slower than symmetric encryption due to mathematical complexity.
- Examples include RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography).
- Commonly used in digital signatures, TLS/SSL handshakes, and certificate-based authentication.

Encryption in Practice:
- Encryption at rest: Protects stored data (e.g., Azure Storage Service Encryption, BitLocker for disk encryption).
- Encryption in transit: Protects data as it moves across networks (e.g., TLS/HTTPS, VPN tunnels).
- Encryption in use: Protects data while it is being processed (e.g., Azure Confidential Computing, which uses hardware-based Trusted Execution Environments).

In many real-world implementations, symmetric and asymmetric encryption are used together. For example, during a TLS handshake, asymmetric encryption is used to securely exchange a symmetric session key, which is then used for the remainder of the communication because of its speed advantage.

What Is Hashing?

Hashing is the process of converting input data of any size into a fixed-length output (called a hash value, hash digest, or simply a hash) using a mathematical function called a hash function. Unlike encryption, hashing is a one-way process — you cannot reverse a hash to recover the original data.

Key Properties of Hashing:
- Deterministic: The same input always produces the same hash output.
- Fixed-length output: Regardless of input size, the hash output is always the same length (e.g., SHA-256 always produces a 256-bit hash).
- One-way function: It is computationally infeasible to reverse-engineer the original input from the hash.
- Collision-resistant: It should be extremely difficult to find two different inputs that produce the same hash output.
- Avalanche effect: A small change in input produces a dramatically different hash output.

Common Hashing Algorithms:
- SHA-256 (Secure Hash Algorithm 256-bit): Widely used and considered secure; part of the SHA-2 family.
- SHA-3: The latest member of the Secure Hash Algorithm family.
- MD5 (Message Digest 5): Older and now considered insecure for security purposes due to known collision vulnerabilities, though still sometimes used for checksums.
- SHA-1: Also considered deprecated for security use due to demonstrated collision attacks.

Common Uses of Hashing:
- Password storage: Instead of storing plaintext passwords, systems store the hash of the password. When a user logs in, the system hashes the entered password and compares it to the stored hash. If they match, access is granted. This means even if the database is compromised, actual passwords are not exposed.
- Data integrity verification: Hashes are used to verify that files or messages have not been tampered with. A file's hash is computed before and after transfer; if the hashes match, the file is intact.
- Digital signatures: A hash of a message is encrypted with a sender's private key to create a digital signature, which the recipient can verify using the sender's public key.
- Certificates: Digital certificates use hashing to ensure the integrity of the certificate data.

Salting:
To further protect hashed passwords, a salt (a random value) is added to the password before hashing. This ensures that even if two users have the same password, their stored hashes will be different. Salting defends against rainbow table attacks (precomputed hash lookup tables) and dictionary attacks.

Key Differences Between Encryption and Hashing

Understanding the distinction is critical for the SC-900 exam:

- Encryption is reversible (with the correct key); hashing is not reversible.
- Encryption ensures confidentiality; hashing ensures integrity.
- Encryption requires a key (or key pair); hashing does not use a key (though HMAC — Hash-based Message Authentication Code — does combine a key with hashing).
- Encrypted output varies in length based on input; hash output is always a fixed length.
- Encryption is used when you need to retrieve the original data; hashing is used when you need to verify data without revealing it.

How Encryption and Hashing Work Together

In practice, these technologies often complement each other:
- Digital signatures use hashing to create a digest of a message, then asymmetric encryption to sign the digest.
- TLS/SSL uses asymmetric encryption for key exchange, symmetric encryption for data transfer, and hashing for message integrity.
- Password verification relies on hashing (with salting), while the database connection itself may be encrypted.
- Certificates issued by Certificate Authorities (CAs) use hashing and asymmetric encryption to validate identity and secure communications.

Relevant Microsoft Technologies

For the SC-900 exam, be familiar with how Microsoft applies these concepts:
- Azure Key Vault: Centralized management of encryption keys, secrets, and certificates.
- BitLocker: Full-disk encryption for Windows devices (encryption at rest).
- TLS 1.2/1.3: Used for encryption in transit across Microsoft services.
- Azure Storage Service Encryption (SSE): Automatically encrypts data at rest in Azure Storage using AES-256.
- Azure Information Protection (AIP): Uses encryption to protect documents and emails based on classification labels.
- Microsoft Defender for Cloud: Monitors and recommends encryption best practices.
- Azure Confidential Computing: Protects data in use through hardware-based trusted execution environments.

Exam Tips: Answering Questions on Encryption and Hashing Fundamentals

1. Know the core distinction: If a question asks about protecting data confidentiality, the answer is encryption. If it asks about verifying data integrity or securely storing passwords, the answer is hashing. This is the most commonly tested differentiation.

2. Remember reversibility: Encryption is reversible (two-way); hashing is irreversible (one-way). If a question mentions recovering or reading original data, it is referring to encryption.

3. Symmetric vs. Asymmetric: Symmetric uses one shared key and is faster; asymmetric uses a key pair (public/private) and solves the key distribution problem. Expect questions that ask you to identify which type is used in a given scenario.

4. Encryption states: Be prepared to identify encryption at rest, in transit, and in use. Know examples of each (BitLocker for at rest, TLS for in transit, Confidential Computing for in use).

5. Understand salting: If a question mentions protecting hashed passwords from rainbow table attacks, the answer involves salting — adding a random value before hashing.

6. Digital signatures combine both: A digital signature uses hashing (to create a digest) and asymmetric encryption (to sign the digest with the sender's private key). This provides both integrity and non-repudiation.

7. Watch for deprecated algorithms: MD5 and SHA-1 are considered insecure. If a question asks which algorithm is secure or recommended, choose SHA-256 or other SHA-2/SHA-3 family members.

8. Read questions carefully for keywords:
- Confidentiality → Encryption
- Integrity → Hashing
- Non-repudiation → Digital signatures (hashing + asymmetric encryption)
- Authentication → Can involve both (certificates use asymmetric encryption; password verification uses hashing)

9. Azure Key Vault: Know that Azure Key Vault is the go-to service for managing encryption keys, secrets (like connection strings and passwords), and certificates in Azure. It supports both software-protected and HSM (Hardware Security Module)-protected keys.

10. Eliminate distractors: Some answer choices may try to confuse encryption with encoding or compression. Encoding (like Base64) is not a security mechanism — it does not use a key and is easily reversible by anyone. Compression reduces file size, not security. Only encryption and hashing provide security guarantees.

11. Practice scenario-based thinking: The SC-900 exam often presents scenarios. For example: "A company needs to ensure that files stored in Azure Blob Storage cannot be read if an attacker gains access to the storage account." The answer here is encryption at rest. Another example: "A company needs to verify that a downloaded software update has not been tampered with." The answer is hashing (comparing hash values).

12. Remember the CIA triad connection:
- Confidentiality — achieved through encryption
- Integrity — achieved through hashing
- Availability — not directly related to encryption or hashing, but protected by other security measures

By mastering these fundamentals and understanding how Microsoft implements them across its cloud services, you will be well-prepared to answer encryption and hashing questions on the SC-900 exam with confidence.